THAT WHICH IS CLAIMED IS: 



1 . A method for providing secure communications 
5 over a network in a distributed workload environment 

having target hosts which are accessed through a 
distribution processor by a common network address, the 
method comprising the steps of: 

routing both inbound and outbound communications 
10 with target hosts which are associated with a secure 

3 network communication through the distribution processor 

and 

processing both inbound and outbound secure network 
communications at the distribution processor so as to 
15 provide network security processing of communications 

from the target host and network security processing of 
communications to the target host. 

2. A method according to Claim 1, further 
€0 comprising the steps of: 

receiving at the distribution processor, network 
communications directed to the common network address; 
and 

distributing the received network communications to 
25 selected ones of the target hosts so as to distribute 

workload associated with the network communications. 

3. A method according to Claim 2, further 
comprising the steps of: 

3 0 determining if the received network communications 

are secure network communications which are to be 
distributed to ones of the target hosts; 

wherein the step of processing both inbound and 
outbound secure network communications at the 

35 distribution processor comprises the step of processing 



RSW920000131US1 



-64- 



the received network communications so as to provide 
generic communications to the ones of the plurality of 
target hosts if the received network communications are 
secure network communications which are distributed to 
5 ones of the target hosts. 



4. A method according to Claim 3, wherein the step 
of processing both inbound and outbound secure network 
communications further comprises the steps of: 
10 receiving at the distribution processor 

communications from the ones of the target hosts which 
are associated with secure network communications; and 

processing the received communications from the ones 
of the target hosts so as to provide network security for 
J5! 15 the communications from the ones of the target hosts. 



rT 5. A method according to Claim 4, wherein the 

N* communications received from the target hosts and the 

f- generic communications to ones of the plurality of target 

yk20 hosts are encapsulated in a generic routing format. 

6. A method according to Claim 4, wherein the 
generic communications are encapsulated in a generic 
routing format having sufficient information in a header 

25 of the generic routing format so as to authenticate the 

source of the communication between the distribution 
processor and ones of the plurality of target hosts. 

7. A method according to Claim 4, wherein the 
3 0 communications received from the target hosts at the 

distribution processor and the generic communications to 
ones of the plurality of target hosts from the 
distribution processor are communicated over trusted 
communication links. 

35 
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8. A method according to Claim 4, further 
comprising the step of establishing common IP filters for 
communications encapsulated in a generic routing format 
at the distribution processor and the plurality of target 

5 hosts. 

9. A method according to Claim 8, wherein the 
common IP filters bypass IP filtering for inbound 
communications encapsulated in the generic routing 

0 format . 



10. A method providing Internet Protocol 
Security (IPSec) communications from a network to a 
plurality of application instances executing on a cluster 

5 of data processing systems utilizing virtual Internet 

Protocol Address (VIPA) Distributor to provide a routing 
communication protocol stack which distributes 
connections to at least one dynamically rout able VIPA 
(DVIPA) to a plurality of target communication protocol 

0 stacks, the method comprising the steps of: 

receiving inbound IPSec communications to the DVIPA 
from the network at the routing communication protocol 
stack; 

performing IPSec processing of the received inbound 
5 IPSec communications at the routing communication 

protocol stack to provide non- IPSec communications to a 
first target communication protocol stack associated with 
the received inbound IPSec communications; 

receiving outbound non- IPSec communications 
0 associated with the DVIPA from a second target 

communication protocol stack at the routing communication 
protocol stack; and 

performing IPSec processing on the received outbound 
non- IPSec communications at the routing communication 
5 protocol stack to provide outbound IPSec communications 
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to the network corresponding to the received outbound 
non~ IPSec communications . 

11. A method according to Claim 10, wherein the 

5 target communication protocol stacks carry out the step 

of sending outbound communications associated with a 
connection utilizing IPSec which is routed through the 
routing communication protocol stack to the routing 
communication protocol stack for IPSec processing. 

0 

12. A method according to Claim 10, wherein the 
second target communication protocol stack further 
carries out the steps of : 

determining if an outbound communication associated 
5 with a connection utilizing IPsec is routed through the 

routing communication protocol stack; 

sending non-IPSec communications for the connection 
utilizing IPSec to the routing communication protocol 
stack if the connection utilizing IPsec is routed through 
0 the routing communication protocol stack; and 

IPSec processing communications if the connection 
utilizing IPSec is not routed through the routing 
communication protocol stack. 

5 13 . A method according to Claim 10, where the 

routing communication protocol stack and the plurality of 
target communication protocol stacks communicate 
utilizing a trusted communication link. 

0 14 . A method according to Claim 13, wherein the 

cluster of data processing systems comprises a Sysplex 
and wherein the trusted communication link is a cross 
coupling facility of the Sysplex. 
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15. A method according to Claim 10, wherein the 
routing communication protocol stack further carries out 
the steps of : 

encapsulating the IPSec processed communications in 
5 a generic routing encapsulation (GRE) formatted 

communication; and 

sending the GRE formatted communication to the first 
target communication protocol stack over a trusted 
communication link; 
10 wherein the step of receiving outbound non- IPSec 

communications from a second target communication 
protocol stack at the routing communication protocol 
stack comprises the step of receiving a GRE encapsulated 
communication from the second target communication 
15 protocol stack; and 

wherein the step of performing IPSec processing on 
the received outbound non- IPSec communications at the 
routing communication protocol stack to provide outbound 
IPSec communications to the network corresponding to the 
2 0 received outbound non- IPSec communications comprises the 

steps of: 

extracting a non- IPSec communication from the 
received GRE encapsulated communication; and 
IPSec processing the extracted non-IPSec 
2 5 communication. 



16. A method according to Claim 15, further 
comprising the steps of establishing common IP filters 
for GRE encapsulated communications at the routing 

3 0 communication protocol stack and the target communication 

protocol stacks . 

17. A method according to Claim 16, wherein the 
common IP filters bypass IP filtering for inbound GRE 

35 encapsulated communications. 
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18. A method according to Claim 15, wherein the 
cluster of data processing systems comprises a Sysplex 
and wherein the routing communication protocol stack and 
the target communication protocol stacks communicate 
utilizing a cross coupling facility (XCF) of the Sysplex 
and wherein the GRE encapsulated communications include 
an XCF source address and an XCF destination address in 
an outer GRE header. 

19. A method according to Claim 18, further 
comprising the steps of: 

evaluating an IP address of a physical link over 
which a GRE encapsulated communication was received and 
an IP address in the received GRE encapsulated 
communication to determine if the received GRE 
encapsulated communication was received over an XCF link; 
and 

discarding the received GRE encapsulated 
communication if the received GRE encapsulated 
0 communication was not received over an XCF link. 

20. A system for providing secure communications 
over a network in a distributed workload environment 
having target hosts which are accessed through a 

5 distribution processor by a common network address, 

comprising : 

means for routing both inbound and outbound 
communications with target hosts which are associated 
with a secure network communication through the 
0 distribution processor; and 

means for processing both inbound and outbound 
secure network communications at the distribution 
processor so as to provide network security processing of 
communications from the target host and network security 
5 processing of communications to the target host. 
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21. A system according to Claim 20, further 
comprising : 

means for receiving at the distribution processor, 
network communications directed to the common network 
address; and 

means for distributing the received network 
communications to selected ones of the target hosts so as 
to distribute workload associated with the network 
communications . 

22. A system according to Claim 21, further 
comprising : 

means for determining if the received network 
communications are secure network communications which 
are to be distributed to ones of the target hosts; 

wherein the means for processing both inbound and 
outbound secure network communications at the 
distribution processor comprise means for processing the 
received network communications so as to provide generic 
communications to the ones of the plurality of target 
hosts if the received network communications are secure 
network communications which are distributed to ones of 
the target hosts. 

23. A system according to Claim 22, wherein the 
step of processing both inbound and outbound secure 
network communications further comprises: 

means for receiving at the distribution processor 
communications from the ones of the target hosts which 
are associated with secure network communications; and 

means for processing the received communications 
from the ones of the target hosts so as to provide 
network security for the communications from the ones of 
the target hosts. 
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24. A system according to Claim 23, wherein the 
communications received from the target hosts and the 
generic communications to ones of the plurality of target 
hosts are encapsulated in a generic routing format. 

5 

25. A system according to Claim 23, wherein generic 
communications are encapsulated in a generic routing 
format having sufficient information in a header of the 
generic routing format so as to authenticate the source 

10 of the communication between the distributing processor 

and ones of the plurality of target hosts. 

26. A system according to Claim 23 , wherein the 
communications received from the target hosts and the 

15 generic communications to ones of the plurality of target 

hosts are communicated over trusted communication links. 



27. A system according to Claim 23, further 
comprising means for establishing common IP filters for 
2 0 communications encapsulated in the generic routing format 

at the distributing processor and the plurality of target 
hosts . 



28. A system according to Claim 27, wherein the 
25 common IP filters bypass IP filtering for inbound 

communications encapsulated in the generic routing 
format . 



29. A system providing Internet Protocol 
30 Security (IPSec) communications from a network to a 

plurality of application instances executing on a cluster 
of data processing systems utilizing virtual Internet 
Protocol Address (VIPA) Distributor to provide a routing 
communication protocol stack which distributes 
3 5 connections to at least one dynamically routable VIPA 
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(DVIPA) to a plurality of target communication protocol 
stacks , comprising : 

means for receiving inbound IPSec communications to 
the DVIPA from the network at the routing communication 

5 protocol stack; 

means for performing IPSec processing of the 
received inbound IPSec communications at the routing 
communication protocol stack to provide non-IPSec 
communications to a first target communication protocol 

0 stack associated with the received inbound IPSec 

communications ; 

means for receiving outbound non-IPSec 
communications from a second target communication 
protocol stack at the routing communication protocol 

5 stack; and 

means for performing IPSec processing on the 
received outbound non-IPSec communications at the routing 
communication protocol stack to provide outbound IPSec 
communications to the network corresponding to the 

0 received outbound non-IPSec communications. 



30. A system according to Claim 29, wherein the 
target communication protocol stacks further comprise 
means for sending outbound communications associated with 
a connection utilizing IPSec which is routed through the 
routing communication protocol stack to the routing 
communication protocol stack for IPSec processing. 

31. A system according to Claim 10, wherein the 
target communication protocol stacks further comprises: 

means for determining if an outbound communication 
associated with a connection utilizing IPSec is routed 
through the routing communication protocol stack; 

means for sending non-IPSec communications for the 
connection utilizing IPSec to the routing communication 
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protocol stack if the connection utilizing IPSec is 
routed through the routing communication protocol stack; 
and 

IPSec processing communications if the connection 
5 utilizing IPSec is not routed through the routing 

communication protocol stack. 

32. A system according to Claim 29, where the 
routing communication protocol stack and the plurality of 

10 target communication protocol stacks communicate 

utilizing trusted communication link. 

33. A system according to Claim 32, wherein the 
cluster of data processing systems comprises a Sysplex 

15 and wherein the trusted communication link is a cross 

coupling facility of the Sysplex. 

34. A system according to Claim 29, wherein the 
routing communication protocol stack further carries out 

2 0 the steps of: 

means for encapsulating the IPSec processed 
communications in a generic routing encapsulation (GRE) 
formatted communication; and 

means for sending the GRE formatted communication to 
25 the first target communication protocol stack over a 

trusted communication link; 

wherein the means for receiving outbound non- IPSec 
communications from a second target communication 
protocol stack at the routing communication protocol 

3 0 stack comprises means for receiving a GRE encapsulated 

communication from the second target communication 
protocol stack; and 

wherein the means for performing IPSec processing on 
the received outbound non- IPSec communications at the 
3 5 routing communication protocol stack to provide outbound 
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IPSec communications to the network corresponding to the 
received outbound non-IPSec communications comprises: 

means for extracting a non-IPSec communication from 
the received GRE encapsulated communication; and 
5 means for IPSec processing the extracted non-IPSec 

communication . 

35. A system according to Claim 34, further 
comprising means for establishing common IP filters for 

10 GRE encapsulated communications at the routing 

communication protocol stack and the target communication 
protocol stacks . 

36. A system according to Claim 35, wherein the 
15 common IP filters bypass IP filtering for inbound GRE 

encapsulated communications . 

37. A system according to Claim 34, wherein the 
cluster of data processing systems comprises a Sysplex 

2 0 and wherein the routing communication protocol stack and 

the target communication protocol stacks communicate 
utilizing a cross coupling facility (XCF) of the Sysplex 
and wherein the GRE encapsulated communications include 
an XCF source address and an XCF destination address in 
25 an outer GRE header. 

38. A system according to Claim 37, further 
comprising : 

means for evaluating an IP address of a physical 

3 0 link over which a GRE encapsulated communication was 

received and an IP address in the received GRE 
encapsulated communication to determine if the received 
GRE encapsulated communication was received over an XCF 
link; and 
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means for discarding the received GRE encapsulated 
communication if the received GRE encapsulated 
communication was not received over an XCF link. 

5 3 9. A computer program product for providing secure 

communications over a network in a distributed workload 
environment having target hosts which are accessed 
through a distribution processor by a common network 
address , comprising : 
m 10 a computer readable medium having computer readable 

yQ program code embodied therein, the computer readable 

^ program code comprising: 

•P computer readable program code which routes both 

in inbound and outbound communications with target hosts 

rtl 15 which are associated with a secure network communication 

g through the distribution processor; and 

!"* computer readable program code which processes both 

sj inbound and outbound secure network communications at the 

|J distribution processor so as to provide network security 

SSSSf!! 

2 0 processing of communications from the target host and 

network security processing of communications to the 
target host . 

40. A computer program product according to Claim 
25 39, further comprising: 

computer readable program code which receives at the 
distribution processor, network communications directed 
to the common network address; and 

computer readable program code which distributes the 

3 0 received network communications to selected ones of the 

target hosts so as to distribute workload associated with 
the network communications. 

41. A computer program product according to Claim 
3 5 40, further comprising: 
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computer readable program code which determines if 
the received network communications are secure network 
communications which are to be distributed to ones of the 
target hosts; 

5 wherein the computer readable program code which 

processes both inbound and outbound secure network 
communications at the distribution processor comprise 
computer readable program code which processes the 
received network communications so as to provide generic 
10 communications to the ones of the plurality of target 

hosts if the received network communications are secure 
network communications which are distributed to ones of 
the target hosts. 

15 42 . A computer program product according to Claim 

41, wherein the computer readable program code which 
processes both inbound and outbound secure network 
communications further comprises: 

computer readable program code which receives at the 
20 distribution processor communications from the ones of 

the target hosts which are associated with secure network 
communications ; and 

computer readable program code which processes the 
received communications from the ones of the target hosts 
25 so as to provide network security for the communications 

from the ones of the target hosts. 

43. A computer program product according to Claim 

42, wherein the communications received from the target 
3 0 hosts and the generic communications to ones of the 

plurality of target hosts are encapsulated in a generic 
routing format. 

44. A computer program product according to Claim 
35 42, wherein generic communications are encapsulated in a 
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generic routing format having sufficient information in a 
header of the generic routing format so as to 
authenticate the source of the communication between the 
distributing processor and ones of the plurality of 
5 target hosts. 

45 . A computer program product according to Claim 
42, wherein the communications received from the target 
hosts at the distribution processor and the generic 

0 communications to ones of the plurality of target hosts 

from the distribution processor are communicated over 
trusted communication links. 

46. A computer program product according to Claim 

5 42, further comprising the step of establishing common IP 

filters for communications encapsulated in the generic 
routing format at the distributing processor and the 
plurality of target hosts. 

0 47. A computer program product according to Claim 

46, wherein the common IP filters bypass IP filtering for 
inbound communications encapsulated in the generic 
routing format. 

5 4 8. A computer program product for providing 

Internet Protocol Security (IPSec) communications from a 
network to a plurality of application instances executing 
on a cluster of data processing systems utilizing virtual 
Internet Protocol Address (VI PA) Distributor to provide a 

0 routing communication protocol stack which distributes 

connections to at least one dynamically routable VIPA 
(DVIPA) to a plurality of target communication protocol 
stacks, the method comprising: 



RSW920000131US1 



-77- 



a computer readable medium having computer readable 
program code embodied therein, the computer readable 
program code comprising: 

computer readable program code which receives 
5 inbound IPSec communications to the DVIPA from the 

network at the routing communication protocol stack; 

computer readable program code which performs IPSec 
processing of the received inbound IPSec communications 
at the routing communication protocol stack to provide 
10 non- IPSec communications to a first target communication 

protocol stack associated with the received inbound IPSec 
communications; 

computer readable program code which receives 
outbound non- IPSec communications from a second target 
15 communication protocol stack at the routing communication 

protocol stack; and 

computer readable program code which performs IPSec 
processing on the received outbound non- IPSec 
communications at the routing communication protocol 
2 0 stack to provide outbound IPSec communications to the 

network corresponding to the received outbound non- IPSec 
communications . 

49. A computer program product according to Claim 

2 5 48, wherein the target communication protocol stacks 

carry out the step of sending outbound communications 
associated with a connection utilizing IPSec which is 
routed through the routing communication protocol stack 
to the routing communication protocol stack for IPSec 
30 processing . 

50. A computer program product according to Claim 
47, further comprising: 

computer readable program code which determining if 

3 5 an outbound communication associated with a connection 
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utilizing IPSec is routed through the routing 
communication protocol stack; 

computer readable program code which sending non- 
IPSec communications for the connection utilizing IPSec 
5 to the routing communication protocol stack if the 

connection utilizing IPsec is routed through the routing 
communication protocol stack; and 

computer readable program code which IPSec 
processing communications if the connection utilizing 
10 IPSec is not routed through the routing communication 

protocol stack. 

51. A computer program product according to Claim 
48, where the routing communication protocol stack and 

15 the plurality of target communication protocol stacks 

communicate utilizing trusted communication link. 

52 . A computer program product according to Claim 
51, wherein the cluster of data processing systems 

2 0 comprises a Sysplex and wherein the trusted communication 

link is a cross coupling facility of the Sysplex. 

53. A computer program product according to Claim 
47, further comprising: 

2 5 computer readable program code which encapsulates 

the IPSec processed received IPSec communications in a 
generic routing encapsulation (GRE) formatted 
communication; and 

computer readable program code which sends the GRE 

3 0 formatted communication to the first target communication 

protocol stack over a trusted communication link; 

wherein the computer readable program code which 
receives outbound non- IPSec communications from a second 
target communication protocol stack at the routing 
35 communication protocol stack comprises computer readable 
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program code which receives a GRE encapsulated 

communication from the second target communication 

protocol stack; and 

wherein the computer readable program code 
5 performing IPSec processing on the received outbound non- 

IPSec communications at the routing communication 

protocol stack to provide outbound IPSec communications 

to the network corresponding to the received outbound 

non- IPSec communications comprises: 
0 computer readable program code which extracts a non- 

IPSec communication from the received GRE encapsulated 

communication; and 

computer readable program code which IPSec processes 

the extracted non- IPSec communication. 

5 

54. A computer program product according to Claim 

53, further comprising computer readable program code 
which establishes common IP filters for GRE encapsulated 
communications at the routing communication protocol 

0 stack and the target communication protocol stacks. 

55. A computer program product according to Claim 

54, wherein the common IP filters bypass IP filtering for 
inbound GRE encapsulated communications. 

5 

56. A computer program product according to Claim 
53, wherein the cluster of data processing systems 
comprises a Sysplex and wherein the routing communication 
protocol stack and the target communication protocol 

0 stacks communicate utilizing a cross coupling facility 

(XCF) of the Sysplex and wherein the GRE encapsulated 
communications include an XCF source address and an XCF 
destination address in an outer GRE header. 
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57. A computer program product according to Claim 
56, further comprising: 

computer readable program code which evaluates an IP 
address of a physical link over which a GRE encapsulated 
communication was received and an IP address in the 
received GRE encapsulated communication to determine if 
the received GRE encapsulated communication was received 
over an XCF link; and 

computer readable program code which discards the 
received GRE encapsulated communication if the received 
GRE encapsulated communication was not received over an 
XCF link. 
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